github · tausbn · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/python-all
+      extensible: typeModel
+    data:
+      # See https://eventlet.readthedocs.io/en/latest/patching.html
+      - ['socket.socket', 'eventlet', 'Member[green].Member[socket].Member[socket].ReturnValue']
+      # eventlet also re-exports as eventlet.socket for convenience
+      - ['socket.socket', 'eventlet', 'Member[socket].Member[socket].ReturnValue']
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/python-all
+      extensible: typeModel
+    data:
+      # See https://www.gevent.org/api/gevent.socket.html
+      - ['socket.socket', 'gevent', 'Member[socket].Member[socket].ReturnValue']
@@ -27,6 +27,8 @@ extensions:
       extensible: sinkModel
     data:
       - ["zipfile.ZipFile","Member[extractall].Argument[0,path:]", "path-injection"]
+      # See https://docs.python.org/3/library/socket.html#socket.socket.bind
+      - ["socket.socket", "Member[bind].Argument[0,address:]", "bind-socket-all-interfaces"]
 
   - addsTo:
       pack: codeql/python-all
@@ -184,6 +186,8 @@ extensions:
       pack: codeql/python-all
       extensible: typeModel
     data:
+      # See https://docs.python.org/3/library/socket.html#socket.socket
+      - ['socket.socket', 'socket', 'Member[socket].ReturnValue']
       # See https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlparse
       - ["urllib.parse.ParseResult~Subclass", 'urllib', 'Member[parse].Member[urlparse]']
 

@@ -2,7 +2,7 @@
  * @name Binding a socket to all network interfaces
  * @description Binding a socket to all interfaces opens it up to traffic from any IPv4 address
  * and is therefore associated with security risks.
- * @kind problem
+ * @kind path-problem
  * @tags security
  *       external/cwe/cwe-200
  * @problem.severity error
@@ -14,7 +14,9 @@
 
 import python
 import semmle.python.dataflow.new.DataFlow
-import semmle.python.ApiGraphs
+import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.frameworks.data.ModelsAsData
+import BindToAllInterfacesFlow::PathGraph
 
 /** Gets a hostname that can be used to bind to all interfaces. */
 private string vulnerableHostname() {
@@ -26,45 +28,26 @@ private string vulnerableHostname() {
     ]
 }
 
-/** Gets a reference to a hostname that can be used to bind to all interfaces. */
-private DataFlow::TypeTrackingNode vulnerableHostnameRef(DataFlow::TypeTracker t, string hostname) {
-  t.start() and
-  exists(StringLiteral allInterfacesStringLiteral | hostname = vulnerableHostname() |
-    allInterfacesStringLiteral.getText() = hostname and
-    result.asExpr() = allInterfacesStringLiteral
-  )
-  or
-  exists(DataFlow::TypeTracker t2 | result = vulnerableHostnameRef(t2, hostname).track(t2, t))
+private module BindToAllInterfacesConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr().(StringLiteral).getText() = vulnerableHostname()
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    ModelOutput::sinkNode(sink, "bind-socket-all-interfaces") and
+    // Network socket addresses are tuples like (host, port), so we require
+    // the bind() argument to originate from a tuple expression. This excludes
+    // AF_UNIX sockets, which pass a plain string path to bind().
+    any(DataFlow::LocalSourceNode n | n.asExpr() instanceof Tuple).flowsTo(sink)
+  }
 }
 
-/** Gets a reference to a hostname that can be used to bind to all interfaces. */
-DataFlow::Node vulnerableHostnameRef(string hostname) {
-  vulnerableHostnameRef(DataFlow::TypeTracker::end(), hostname).flowsTo(result)
-}
-
-/** Gets a reference to a tuple for which the first element is a hostname that can be used to bind to all interfaces. */
-private DataFlow::TypeTrackingNode vulnerableAddressTuple(DataFlow::TypeTracker t, string hostname) {
-  t.start() and
-  result.asExpr() = any(Tuple tup | tup.getElt(0) = vulnerableHostnameRef(hostname).asExpr())
-  or
-  exists(DataFlow::TypeTracker t2 | result = vulnerableAddressTuple(t2, hostname).track(t2, t))
-}
+private module BindToAllInterfacesFlow = TaintTracking::Global<BindToAllInterfacesConfig>;
 
-/** Gets a reference to a tuple for which the first element is a hostname that can be used to bind to all interfaces. */
-DataFlow::Node vulnerableAddressTuple(string hostname) {
-  vulnerableAddressTuple(DataFlow::TypeTracker::end(), hostname).flowsTo(result)
-}
-
-/**
- * Gets an instance of `socket.socket` using _some_ address family.
- *
- * See https://docs.python.org/3/library/socket.html
- */
-API::Node socketInstance() { result = API::moduleImport("socket").getMember("socket").getReturn() }
+private import BindToAllInterfacesFlow
 
-from DataFlow::CallCfgNode bindCall, DataFlow::Node addressArg, string hostname
-where
-  bindCall = socketInstance().getMember("bind").getACall() and
-  addressArg = bindCall.getArg(0) and
-  addressArg = vulnerableAddressTuple(hostname)
-select bindCall.asExpr(), "'" + hostname + "' binds a socket to all interfaces."
+from PathNode source, PathNode sink
+where flowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Binding a socket to all interfaces (using $@) is a security risk.", source.getNode(),
+  "'" + source.getNode().asExpr().(StringLiteral).getText() + "'"
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+- The `py/bind-socket-all-network-interfaces` query now uses the global data-flow library, leading to better precision and more results. Also, wrappers of `socket.socket` in the `eventlet` and `gevent` libraries are now also recognized as socket binding operations.
@@ -1,5 +1,63 @@
-| BindToAllInterfaces_test.py:5:1:5:26 | Attribute() | '0.0.0.0' binds a socket to all interfaces. |
-| BindToAllInterfaces_test.py:9:1:9:18 | Attribute() | '' binds a socket to all interfaces. |
-| BindToAllInterfaces_test.py:17:1:17:26 | Attribute() | '0.0.0.0' binds a socket to all interfaces. |
-| BindToAllInterfaces_test.py:21:1:21:11 | Attribute() | '0.0.0.0' binds a socket to all interfaces. |
-| BindToAllInterfaces_test.py:26:1:26:20 | Attribute() | '::' binds a socket to all interfaces. |
+#select
+| BindToAllInterfaces_test.py:5:9:5:24 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:5:9:5:17 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:5:9:5:24 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:5:9:5:17 | ControlFlowNode for StringLiteral | '0.0.0.0' |
+| BindToAllInterfaces_test.py:9:9:9:16 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:9:9:9:10 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:9:9:9:16 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:9:9:9:10 | ControlFlowNode for StringLiteral | '' |
+| BindToAllInterfaces_test.py:17:9:17:24 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:16:14:16:22 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:17:9:17:24 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:16:14:16:22 | ControlFlowNode for StringLiteral | '0.0.0.0' |
+| BindToAllInterfaces_test.py:21:8:21:10 | ControlFlowNode for tup | BindToAllInterfaces_test.py:16:14:16:22 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:21:8:21:10 | ControlFlowNode for tup | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:16:14:16:22 | ControlFlowNode for StringLiteral | '0.0.0.0' |
+| BindToAllInterfaces_test.py:26:9:26:18 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:26:9:26:12 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:26:9:26:18 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:26:9:26:12 | ControlFlowNode for StringLiteral | '::' |
+| BindToAllInterfaces_test.py:39:17:39:41 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:34:26:34:34 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:39:17:39:41 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:34:26:34:34 | ControlFlowNode for StringLiteral | '0.0.0.0' |
+| BindToAllInterfaces_test.py:48:9:48:18 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:46:35:46:43 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:48:9:48:18 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:46:35:46:43 | ControlFlowNode for StringLiteral | '0.0.0.0' |
+| BindToAllInterfaces_test.py:53:10:53:25 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:53:10:53:18 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:53:10:53:25 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:53:10:53:18 | ControlFlowNode for StringLiteral | '0.0.0.0' |
+| BindToAllInterfaces_test.py:58:10:58:25 | ControlFlowNode for Tuple | BindToAllInterfaces_test.py:58:10:58:18 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:58:10:58:25 | ControlFlowNode for Tuple | Binding a socket to all interfaces (using $@) is a security risk. | BindToAllInterfaces_test.py:58:10:58:18 | ControlFlowNode for StringLiteral | '0.0.0.0' |
+edges
+| BindToAllInterfaces_test.py:5:9:5:17 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:5:9:5:24 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 |
+| BindToAllInterfaces_test.py:9:9:9:10 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:9:9:9:16 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 |
+| BindToAllInterfaces_test.py:16:1:16:10 | ControlFlowNode for ALL_LOCALS | BindToAllInterfaces_test.py:17:9:17:24 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 |
+| BindToAllInterfaces_test.py:16:1:16:10 | ControlFlowNode for ALL_LOCALS | BindToAllInterfaces_test.py:20:1:20:3 | ControlFlowNode for tup | provenance |  |
+| BindToAllInterfaces_test.py:16:14:16:22 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:16:1:16:10 | ControlFlowNode for ALL_LOCALS | provenance |  |
+| BindToAllInterfaces_test.py:20:1:20:3 | ControlFlowNode for tup | BindToAllInterfaces_test.py:21:8:21:10 | ControlFlowNode for tup | provenance | Sink:MaD:63 |
+| BindToAllInterfaces_test.py:26:9:26:12 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:26:9:26:18 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 |
+| BindToAllInterfaces_test.py:33:18:33:21 | ControlFlowNode for self [Return] [Attribute bind_addr] | BindToAllInterfaces_test.py:41:10:41:17 | ControlFlowNode for Server() [Attribute bind_addr] | provenance |  |
+| BindToAllInterfaces_test.py:34:9:34:12 | [post] ControlFlowNode for self [Attribute bind_addr] | BindToAllInterfaces_test.py:33:18:33:21 | ControlFlowNode for self [Return] [Attribute bind_addr] | provenance |  |
+| BindToAllInterfaces_test.py:34:26:34:34 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:34:9:34:12 | [post] ControlFlowNode for self [Attribute bind_addr] | provenance |  |
+| BindToAllInterfaces_test.py:37:15:37:18 | ControlFlowNode for self [Attribute bind_addr] | BindToAllInterfaces_test.py:39:17:39:20 | ControlFlowNode for self [Attribute bind_addr] | provenance |  |
+| BindToAllInterfaces_test.py:39:17:39:20 | ControlFlowNode for self [Attribute bind_addr] | BindToAllInterfaces_test.py:39:17:39:30 | ControlFlowNode for Attribute | provenance |  |
+| BindToAllInterfaces_test.py:39:17:39:30 | ControlFlowNode for Attribute | BindToAllInterfaces_test.py:39:17:39:41 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 |
+| BindToAllInterfaces_test.py:41:1:41:6 | ControlFlowNode for server [Attribute bind_addr] | BindToAllInterfaces_test.py:42:1:42:6 | ControlFlowNode for server [Attribute bind_addr] | provenance |  |
+| BindToAllInterfaces_test.py:41:10:41:17 | ControlFlowNode for Server() [Attribute bind_addr] | BindToAllInterfaces_test.py:41:1:41:6 | ControlFlowNode for server [Attribute bind_addr] | provenance |  |
+| BindToAllInterfaces_test.py:42:1:42:6 | ControlFlowNode for server [Attribute bind_addr] | BindToAllInterfaces_test.py:37:15:37:18 | ControlFlowNode for self [Attribute bind_addr] | provenance |  |
+| BindToAllInterfaces_test.py:46:1:46:4 | ControlFlowNode for host | BindToAllInterfaces_test.py:48:9:48:18 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 |
+| BindToAllInterfaces_test.py:46:8:46:44 | ControlFlowNode for Attribute() | BindToAllInterfaces_test.py:46:1:46:4 | ControlFlowNode for host | provenance |  |
+| BindToAllInterfaces_test.py:46:35:46:43 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:46:8:46:44 | ControlFlowNode for Attribute() | provenance | dict.get |
+| BindToAllInterfaces_test.py:53:10:53:18 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:53:10:53:25 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 |
+| BindToAllInterfaces_test.py:58:10:58:18 | ControlFlowNode for StringLiteral | BindToAllInterfaces_test.py:58:10:58:25 | ControlFlowNode for Tuple | provenance | Sink:MaD:63 |
+nodes
+| BindToAllInterfaces_test.py:5:9:5:17 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
+| BindToAllInterfaces_test.py:5:9:5:24 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
+| BindToAllInterfaces_test.py:9:9:9:10 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
+| BindToAllInterfaces_test.py:9:9:9:16 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
+| BindToAllInterfaces_test.py:16:1:16:10 | ControlFlowNode for ALL_LOCALS | semmle.label | ControlFlowNode for ALL_LOCALS |
+| BindToAllInterfaces_test.py:16:14:16:22 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
+| BindToAllInterfaces_test.py:17:9:17:24 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
+| BindToAllInterfaces_test.py:20:1:20:3 | ControlFlowNode for tup | semmle.label | ControlFlowNode for tup |
+| BindToAllInterfaces_test.py:21:8:21:10 | ControlFlowNode for tup | semmle.label | ControlFlowNode for tup |
+| BindToAllInterfaces_test.py:26:9:26:12 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
+| BindToAllInterfaces_test.py:26:9:26:18 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
+| BindToAllInterfaces_test.py:33:18:33:21 | ControlFlowNode for self [Return] [Attribute bind_addr] | semmle.label | ControlFlowNode for self [Return] [Attribute bind_addr] |
+| BindToAllInterfaces_test.py:34:9:34:12 | [post] ControlFlowNode for self [Attribute bind_addr] | semmle.label | [post] ControlFlowNode for self [Attribute bind_addr] |
+| BindToAllInterfaces_test.py:34:26:34:34 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
+| BindToAllInterfaces_test.py:37:15:37:18 | ControlFlowNode for self [Attribute bind_addr] | semmle.label | ControlFlowNode for self [Attribute bind_addr] |
+| BindToAllInterfaces_test.py:39:17:39:20 | ControlFlowNode for self [Attribute bind_addr] | semmle.label | ControlFlowNode for self [Attribute bind_addr] |
+| BindToAllInterfaces_test.py:39:17:39:30 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| BindToAllInterfaces_test.py:39:17:39:41 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
+| BindToAllInterfaces_test.py:41:1:41:6 | ControlFlowNode for server [Attribute bind_addr] | semmle.label | ControlFlowNode for server [Attribute bind_addr] |
+| BindToAllInterfaces_test.py:41:10:41:17 | ControlFlowNode for Server() [Attribute bind_addr] | semmle.label | ControlFlowNode for Server() [Attribute bind_addr] |
+| BindToAllInterfaces_test.py:42:1:42:6 | ControlFlowNode for server [Attribute bind_addr] | semmle.label | ControlFlowNode for server [Attribute bind_addr] |
+| BindToAllInterfaces_test.py:46:1:46:4 | ControlFlowNode for host | semmle.label | ControlFlowNode for host |
+| BindToAllInterfaces_test.py:46:8:46:44 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| BindToAllInterfaces_test.py:46:35:46:43 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
+| BindToAllInterfaces_test.py:48:9:48:18 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
+| BindToAllInterfaces_test.py:53:10:53:18 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
+| BindToAllInterfaces_test.py:53:10:53:25 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
+| BindToAllInterfaces_test.py:58:10:58:18 | ControlFlowNode for StringLiteral | semmle.label | ControlFlowNode for StringLiteral |
+| BindToAllInterfaces_test.py:58:10:58:25 | ControlFlowNode for Tuple | semmle.label | ControlFlowNode for Tuple |
+subpaths
@@ -1 +1,2 @@
-Security/CVE-2018-1281/BindToAllInterfaces.ql
+query: Security/CVE-2018-1281/BindToAllInterfaces.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -2,25 +2,61 @@
 
 # binds to all interfaces, insecure
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-s.bind(('0.0.0.0', 31137))
+s.bind(('0.0.0.0', 31137)) # $ Alert[py/bind-socket-all-network-interfaces]
 
 # binds to all interfaces, insecure
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-s.bind(('', 4040))
+s.bind(('', 4040)) # $ Alert[py/bind-socket-all-network-interfaces]
 
 # binds only to a dedicated interface, secure
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.bind(('84.68.10.12', 8080))
 
 # binds to all interfaces, insecure
-ALL_LOCALS = "0.0.0.0"
-s.bind((ALL_LOCALS, 9090))
+ALL_LOCALS = "0.0.0.0" # $ Source
+s.bind((ALL_LOCALS, 9090)) # $ Alert[py/bind-socket-all-network-interfaces]
 
 # binds to all interfaces, insecure
 tup = (ALL_LOCALS, 8080)
-s.bind(tup)
+s.bind(tup) # $ Alert[py/bind-socket-all-network-interfaces]
 
 
 # IPv6
 s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
-s.bind(("::", 8080)) # NOT OK
+s.bind(("::", 8080)) # $ Alert[py/bind-socket-all-network-interfaces]
+
+
+# FN cases from https://github.com/github/codeql/issues/21582
+
+# Address stored in a class attribute
+class Server:
+    def __init__(self):
+        self.bind_addr = '0.0.0.0' # $ Source
+        self.port = 31137
+
+    def start(self):
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.bind((self.bind_addr, self.port)) # $ Alert[py/bind-socket-all-network-interfaces]
+
+server = Server()
+server.start()
+
+# os.environ.get with insecure default
+import os
+host = os.environ.get('APP_HOST', '0.0.0.0') # $ Source
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.bind((host, 8080)) # $ Alert[py/bind-socket-all-network-interfaces]
+
+# gevent.socket (alternative socket module)
+from gevent import socket as gsocket
+gs = gsocket.socket(gsocket.AF_INET, gsocket.SOCK_STREAM)
+gs.bind(('0.0.0.0', 31137)) # $ Alert[py/bind-socket-all-network-interfaces]
+
+# eventlet.green.socket (another alternative socket module)
+from eventlet.green import socket as esocket
+es = esocket.socket(esocket.AF_INET, esocket.SOCK_STREAM)
+es.bind(('0.0.0.0', 31137)) # $ Alert[py/bind-socket-all-network-interfaces]
+
+# AF_UNIX socket binding should not be flagged
+us = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+us.bind('')
@@ -48,7 +48,7 @@ module KindValidation<KindValidationConfigSig Config> {
           // CPP-only currently
           "remote-sink",
           // Python-only currently, but may be shared in the future
-          "prompt-injection"
+          "bind-socket-all-interfaces", "prompt-injection"
         ]
       or
       this.matches([